IKEv2

IKEv2( Internet Key Exchange version 2) is a protocol that establishes and handles SAs( Security Association). Usually these SAs are used with IPSec( in fact, IKEv2 is based on IPSec).

Like IPSec, IKEv2 uses a modular CLI for configuration.

crypto ikev2 dpd (1-3600): Set IKEv2 dead peer detection parameters. First parameter indicates how often liveness check is performed.

IKEv2 proposal

A proposal, consists of a suite of encryption/ HMAC algorithms for IKEv2 SA creation. Along with IPSec transform set, they define the IKEv2/IPSec algorithm suite and it’s the first thing that is negotiated in IKEv2.

crypto ikev2 proposal IKEPOSAL: Create a new IKEV2 proposal named IKEPOSAL

encryption ALGORITHM: Use ALGORITHM as encryption algorithm for IKEv2 SA creation and negotiation.

integrity ALGORITHM: Use ALGORITHM as HMAC algorithm for IKEv2 SA creation and negotiation.

group GROUP

Use GROUP as Diffie-Hellman group.

Example :

soodar(config)# crypto ikev2 proposal sample-proposal
soodar(config-ikev2-proposal)# encryption aes-192
soodar(config-ikev2-proposal)# integrity sha1-96
soodar(config-ikev2-proposal)# group 28

IKEv2 keyring

As the name suggests, this struct, holds identity of peers, theirs address and authentication materials.

crypto ikev2 keyring IKEKEYRING: Create a new IKEV2 keyring named IKEKEYRING

peer PEER: Create a new peer in keyring as PEER

pre-shared-key LINE: Set peer’s PSK value for authentication

identity address <A.B.C.D|X:X::X:X>: Use an address as peer’s identity. This identity is used in negotiation and by other peer to identify the other one.

identity fqdn FQDN: Use a FQDN as peer’s identity. This identity is used in negotiation and by other peer to identify the other one.

identity email MAIL

Use a mail address as peer’s identity. This identity is used in negotiation and by other peer to identify the other one.

Example :

soodar(config)# crypto ikev2 keyring keyring-1
soodar(config-ikev2-keyring)# peer PC-1
soodar(config-ikev2-keyring-peer)# identity email home@sweet.home
soodar(config-ikev2-keyring-peer)# pre-shared-key 123@321
soodar(config-ikev2-keyring)# peer PC-2
soodar(config-ikev2-keyring-peer)# identity address 1.1.1.1
soodar(config-ikev2-keyring-peer)# pre-shared-key ITSAHARDPASSWD!!

IKEv2 profile

Main struct of IKEv2.

match address local A.B.C.D: Send IKEv2 packets using this address. if it’s not set, the packets can use any IP address available on router.

Note

It’s a good practice to set local address explicitly. It can prevent from problems caused by changes in routes, which could lead to a change in source IP address of packets and being rejected by IKEv2 peer.

identity local address <A.B.C.D|X:X::X:X>: Define an address as local identity. During IKEv2 session, introduce him by this identity to its peer.

identity local fqdn FQDN: Define a FQDN as local identity. During IKEv2 session, introduce him by this identity to its peer.

identity local email MAIL: Define a mail address as local identity. During IKEv2 session, introduce him by this identity to its peer.

authentication local rsa-sig: Use RSA Digital Signature as authentication method during init.

Note

The chosen certificate to use, is the one that has the same SAN as local identity

authentication local pre-share: Use Shared Key Message Integrity Code as authentication method during init.

authentication remote rsa-sig: Expect RSA Digital Signature from peer as authentication method during init.

authentication remote pre-share: Expect Shared Key Message Integrity Code from peer as authentication method during init.

match identity remote address <A.B.C.D|X:X::X:X>: Expected remote identity. Other information about this peer is looked up in keyring.

match identity remote fqdn FQDN: Expected remote identity. Other information about this peer is looked up in keyring.

match identity remote email EMAIL: Expected remote identity. Other information about this peer is looked up in keyring.

match certificate

Match against DN fields and values as peer identity. using wildcards are allowed

Note

The peer should use RSA Digital Signature as authentication method, and it should use its DN as identity.

Example:

soodar(config-ikev2-profile)# match certificate C=IR, CN=*.temp.ir

Match against all peers that have DN as ther identity and this certificate is issued from Iran and is a sub-domain of temp.ir

keyring local IKEKEYRING: Use keyring IKEKEYRING for peer lookup.

proposal IKEPOSAL: Use IKEPOSAL for IKEv2 SA.

lifetime <120-86400>

Set IKEv2 profile lifetime. Cause a rekey action to take place when the life timer exceeds.

Example :

soodar(config)# crypto ikev2 profile VPN
soodar(config-ikev2-profile)# identity local 192.168.1.1
soodar(config-ikev2-profile)# match identity remote home@sweet.home
soodar(config-ikev2-profile)# keyring local keyring-1
soodar(config-ikev2-profile)# proposal sample-proposal